Password security: act now
(13 November 2020)
We recently asked you to review your passwords to ensure the safety and security of your accounts. Whilst we recognise that the majority of staff and students will already have acted on this request, if you haven’t we need you to do so now. Fraudsters are actively attempting to hack accounts and often target weak passwords as an easy way to gain access to systems.
It is important to understand the risks associated with using a weak password. The weaker the password, the easier it is for fraudsters to gain unauthorised access to your accounts. Users should ensure account passwords are in line with the University Password and Credential Standards here.
If your password does not already comply with these standards you must change it immediately.
The standards state that passwords:
- Must have a minimum length of 10 characters, although it is strongly suggested that they have a minimum of 16 characters (e.g. four random four letter words)
- Must be hard for others to guess (e.g. not your name, a pet’s name);
- Should contain a mix of random upper and lower case letters, numbers and special characters or long combinations of randomly chosen words should be used
- Must not be reused to form a new credential when changed. Reuse includes the use of the exact same credential or the use of the same root credential with appended or pre-pended sequential characters for another account or system
What to avoid when creating a password
- Words which can be found in a dictionary (English or foreign), or such words written backwards.
- Names of family members, pets, friends, co-workers, favourite movie characters, birthdays and other personal information such as addresses and phone numbers.
- Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
- Any of the above, either precluded or followed by a digit or easy to guess sequence of digits (e.g. secret1, secret123, 1secret).
What to consider when creating a password
- Use a minimum of 10 characters, with a combination of upper case, lower case, numeric, and special characters. To help with this, use a password randomiser; there are a number available online. A password example would look like this: B3b7?y7jXQ!
- Use three random words that are not related with each other, in combination with a few special characters. This will make it easier to remember, and more difficult to guess by fraudsters. An example would look like this: performance.landscape.mile!
To change your password please go to: https://www.dur.ac.uk/cis/passwords/change/